Monthly Updates
A monthly brief of the technology, GRC and cybersecurity developments that matter to practitioners. Refreshed at the top of each month.
Tap or click any card to flip it — the headline on the front, our point of view on the back.
The EU AI Act’s high-risk clock runs out in August
From 2 August 2026 the EU AI Act’s high-risk rules are fully enforceable — conformity assessments, technical documentation and human-oversight duties — with penalties reaching €35M or 7% of global turnover.
Why it matters
This is the assurance event of the year. If your organisation uses AI in hiring, credit or critical operations, internal audit’s job now is to confirm there is an AI inventory, a risk classification, and a real human in the loop with an actual kill switch — before a regulator asks. “We have a policy” will not survive a conformity assessment.
A SharePoint zero-day is being exploited in the wild
A critical SharePoint flaw (CVE-2026-32201) allows remote code execution and is under active exploitation; defenders are urged to patch quickly and pull internet-facing instances out of reach.
Why it matters
“Actively exploited, patch still landing” is the scenario every incident plan should already rehearse. The control that matters this month is not a new tool — it is knowing, in minutes, which of your servers are internet-exposed and who owns the decision to take them down.
183 million email credentials surface in a leak
A large dataset of exposed Gmail credentials circulated this month — a reminder that reused passwords from old breaches keep paying off for attackers long after the original incident.
Why it matters
Credential reuse is still the cheapest way into an enterprise. The fix is unglamorous and overdue: phishing-resistant MFA everywhere it touches sensitive data, and an honest review of the service accounts that quietly skip it.
PCAOB’s QC 1000 quality regime nears its deadline
The PCAOB’s QC 1000 and AS 2901 take effect on 15 December 2026, requiring firms to run a comprehensive, risk-based quality-control system and report specific QC findings to the Board.
Why it matters
Even if you are an internal function the PCAOB never inspects, the idea travels: a risk-based quality system that catches your own deficiencies before anyone else does. Borrow the mindset now — inventory your assurance risks and build the monitoring that proves you are managing them.
AI in audit moves from pilot to standards conversation
The PCAOB’s refreshed advisory groups are set to weigh in on the use of AI in audits — a signal the profession is moving from quiet experimentation toward documented expectations.
Why it matters
If you are using AI in fieldwork, start writing it down: which tasks, which prompts, and what a human actually reviewed. The teams who can show their AI workpapers are defensible will be far ahead of the ones improvising when the question finally comes.
AI governance is hardening into enforceable rules
Analysts describe 2026 as the year AI governance shifts from principles to enforceable expectations: documented AI inventories, risk classifications, third-party due diligence and model-lifecycle controls — measured by KRIs, not policy PDFs.
Why it matters
The board question is no longer “do we have an AI policy?” but “show me the inventory and the metrics.” Build a living AI register and a handful of real KRIs now; retrofitting governance onto AI already embedded in critical processes is the expensive path.
The US AI-rule map keeps fragmenting
State AI laws keep advancing — Colorado’s high-risk-AI law is set for 30 June 2026 — even as a federal push aims to centralise and preempt them, leaving multi-state businesses with an uncertain patchwork.
Why it matters
Do not bet your compliance programme on federal preemption arriving in time. Map each AI use to the strictest rule that could apply to it; that is far cheaper than guessing wrong and re-papering vendor contracts later.
A 13-country operation targets Middle East cyber threats
Law enforcement ran “Operation Ramz,” a thirteen-country effort against cyber threats across the Middle East and North Africa — part of a clear rise in coordinated, cross-border takedowns.
Why it matters
Cross-border enforcement is getting faster, and that changes your incident playbook. Decide in advance when and how you would engage law enforcement, and which regulators — and which PDPL duties — a multi-jurisdiction breach would trigger.
One threat actor, dozens of data-extortion victims
Researchers tied dozens of large data thefts to a single actor this month, spanning sectors and geographies — much of it lifted from poorly guarded third-party data stores rather than the victims’ own networks.
Why it matters
Your data does not have to live on your network to become your headline. Tier vendors by the sensitivity of the data they hold, demand evidence of their controls, and rehearse the breach you do not control — because that is the one that is coming.